Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Encryption Security IT

SSL/TLS Vulnerability Widely Unpatched 103

Posted by Soulskill from the never-put-off-until-tomorrow-what-you-can-forget-entirely dept.
kaiengert writes "In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746, which described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action. Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. Here is an exemplary list of patched and unpatched sites, along with more background information. The patched sites demonstrate that patching is indeed possible."
This discussion has been archived. No new comments can be posted.

SSL/TLS Vulnerability Widely Unpatched More

SSL/TLS Vulnerability Widely Unpatched

Comments Filter:

  • Re:Self test? (Score:5, Informative)

    by Mysteray ( 713473 ) on Monday June 20, 2011 @04:00PM (#36505040)
    I like Qualys' SSL Labs [ssllabs.com]

  • Re:Self test? (Score:4, Informative)

    by caljorden ( 166413 ) on Monday June 20, 2011 @04:28PM (#36505370)

    I spent a few minutes looking for the same thing, and found that Firefox includes a check. If you visit an HTTPS site that is not secure, you will get a message in the Error Console under Messages saying something like this:

    site.example.com : server does not support RFC 5746, see CVE-2009-3555

    For more information, see https://wiki.mozilla.org/Security:Renegotiation [mozilla.org]

  • Windows Server MS10-049 & KB980436 (Score:4, Informative)

    by Anonymous Coward on Monday June 20, 2011 @04:30PM (#36505406)

    After reading this article I ran a quick audit on all of our server farms and noticed that KB980436 was dutifully installed Sept 2010...however, upon closer scrutiny I noticed that this Security Patch from Microsoft doesn't prevent this vulnerability by default (but rather keeps it in "Compatibility Mode" by default). Windows SysAdmins need to take care to read MS10-049 and add the appropriate RegKeys to enforce "Strict Mode" to keep their servers from being vulnerable to this exploit. FYI, downloading and installing KB980436 is not enough.

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close